diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2019-06-27 16:52:19 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-06-28 09:18:32 +0200 |
| commit | f365d0e00ed93b1c33e984ff3b4cc8677cbca193 (patch) | |
| tree | 73577dda0d13024d2104a2bb0f3859857ccca2ae | |
| parent | a78adce5cb766a3e13328bd0d79d6ac599f3f8bc (diff) | |
| download | php-git-f365d0e00ed93b1c33e984ff3b4cc8677cbca193.tar.gz | |
Fix mysqlnd memory leak
The actual leak is observed in ext/pdo_mysql/tests/bug_74376.phpt.
The persistent connection leaks because a refcount decrement on a
result is missed. The refcount decrement is missed because
free_result_contents is used, rather than free_result.
Looking at other uses of free_result_contents, it looks like they
could also suffer from this problem. Apart from one case,
free_result_contents is always used to release the result entirely
(I've adjusted the one differing case to only free meta), so I'm
moving most of the logic from free_result into free_result_contents.
The only difference is now that free_result will skip_result first.
| -rw-r--r-- | ext/mysqlnd/mysqlnd_ps.c | 2 | ||||
| -rw-r--r-- | ext/mysqlnd/mysqlnd_result.c | 20 |
2 files changed, 10 insertions, 12 deletions
diff --git a/ext/mysqlnd/mysqlnd_ps.c b/ext/mysqlnd/mysqlnd_ps.c index 5c1896c18c..5207c1b506 100644 --- a/ext/mysqlnd/mysqlnd_ps.c +++ b/ext/mysqlnd/mysqlnd_ps.c @@ -122,7 +122,6 @@ MYSQLND_METHOD(mysqlnd_stmt, store_result)(MYSQLND_STMT * const s) } else { COPY_CLIENT_ERROR(conn->error_info, result->stored_data->error_info); stmt->result->m.free_result_contents(stmt->result); - mysqlnd_mempool_destroy(stmt->result->memory_pool); stmt->result = NULL; stmt->state = MYSQLND_STMT_PREPARED; } @@ -341,7 +340,6 @@ mysqlnd_stmt_prepare_read_eof(MYSQLND_STMT * s) if (FAIL == (ret = PACKET_READ(conn, &fields_eof))) { if (stmt->result) { stmt->result->m.free_result_contents(stmt->result); - mnd_efree(stmt->result); /* XXX: This will crash, because we will null also the methods. But seems it happens in extreme cases or doesn't. Should be fixed by exporting a function (from mysqlnd_driver.c?) to do the reset. diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c index 0aa69a0d61..52258cd140 100644 --- a/ext/mysqlnd/mysqlnd_result.c +++ b/ext/mysqlnd/mysqlnd_result.c @@ -302,6 +302,13 @@ void MYSQLND_METHOD(mysqlnd_res, free_result_contents_internal)(MYSQLND_RES * re result->m.free_result_buffers(result); + if (result->conn) { + result->conn->m->free_reference(result->conn); + result->conn = NULL; + } + + mysqlnd_mempool_destroy(result->memory_pool); + DBG_VOID_RETURN; } /* }}} */ @@ -312,17 +319,10 @@ static void MYSQLND_METHOD(mysqlnd_res, free_result_internal)(MYSQLND_RES * result) { DBG_ENTER("mysqlnd_res::free_result_internal"); - result->m.skip_result(result); + result->m.skip_result(result); result->m.free_result_contents(result); - if (result->conn) { - result->conn->m->free_reference(result->conn); - result->conn = NULL; - } - - mysqlnd_mempool_destroy(result->memory_pool); - DBG_VOID_RETURN; } /* }}} */ @@ -355,7 +355,8 @@ MYSQLND_METHOD(mysqlnd_res, read_result_metadata)(MYSQLND_RES * result, MYSQLND_ /* It's safe to reread without freeing */ if (FAIL == result->meta->m->read_metadata(result->meta, conn, result)) { - result->m.free_result_contents(result); + result->meta->m->free_metadata(result->meta); + result->meta = NULL; DBG_RETURN(FAIL); } /* COM_FIELD_LIST is broken and has premature EOF, thus we need to hack here and in mysqlnd_res_meta.c */ @@ -517,7 +518,6 @@ mysqlnd_query_read_result_set_header(MYSQLND_CONN_DATA * conn, MYSQLND_STMT * s) if (FAIL == (ret = PACKET_READ(conn, &fields_eof))) { DBG_ERR("Error occurred while reading the EOF packet"); result->m.free_result_contents(result); - mysqlnd_mempool_destroy(result->memory_pool); if (!stmt) { conn->current_result = NULL; } else { |